doc updates

sfreudenthaler · sfreudenthaler · commit 8e2726c5a7e4 · 2025-07-02T15:34:10.000-04:00
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1,87 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Repository Purpose
+
+This repository provides centralized, reusable GitHub Actions workflows for Claude AI integration across dotCMS and related projects. It implements a DRY approach by consolidating Claude workflow logic into orchestrator and executor patterns that can be consumed by other repositories.
+
+## Architecture Overview
+
+The repository implements a two-workflow architecture:
+
+### Core Workflows
+- **Claude Orchestrator** (`.github/workflows/claude-orchestrator.yml`): Routes different trigger types (PR events, comments, issues) to appropriate execution modes. Handles both interactive (@claude mentions) and automatic review modes.
+- **Claude Executor** (`.github/workflows/claude-executor.yml`): The execution engine that runs Claude AI actions with configurable tools, timeouts, and runners.
+
+### Key Design Patterns
+- **Reusable Workflows**: Both workflows use `workflow_call` to be consumed by other repositories
+- **Conditional Execution**: Orchestrator prevents duplicate runs by routing triggers to specific jobs
+- **Parameterization**: Workflows accept inputs for customization (prompts, tools, timeouts, runners)
+- **Security Isolation**: Each consuming repository must provide its own `ANTHROPIC_API_KEY` for cost tracking and security
+
+## Common Commands
+
+### Testing and Validation
+```bash
+# Lint YAML files
+yamllint -c .yamllint.yml **/*.yml **/*.yaml
+
+# Validate workflow syntax
+python -c "import yaml; yaml.safe_load(open('.github/workflows/claude-orchestrator.yml'))"
+python -c "import yaml; yaml.safe_load(open('.github/workflows/claude-executor.yml'))"
+```
+
+### Workflow Testing
+The repository includes automated tests in `.github/workflows/tests.yml` that:
+- Lint all YAML files using yamllint configuration
+- Validate GitHub Actions workflow syntax
+- Check for required workflow elements (name, on, jobs)
+- Validate secret requirements in reusable workflows
+
+## Configuration Files
+
+- **`.yamllint.yml`**: YAML linting configuration with 240-character line length limit and 2-space indentation
+- **Examples**: `examples/consumer-repo-workflow.yml` shows how consuming repositories should reference these workflows
+
+## Usage by Consuming Repositories
+
+Repositories use this workflow by creating a workflow file that calls the orchestrator:
+
+```yaml
+jobs:
+  claude:
+    uses: dotCMS/claude-workflows/.github/workflows/claude-orchestrator.yml@main
+    with:
+      # Repository-specific configurations
+      allowed_tools: |
+        Bash(terraform plan)
+        Bash(git status)
+      automatic_review_prompt: |
+        Custom review prompt for this repository
+    secrets:
+      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+```
+
+## Security Requirements
+
+- Each consuming repository MUST provide its own `ANTHROPIC_API_KEY` secret
+- API keys are required for cost tracking, security isolation, and usage control
+- Workflows will fail if the API key is not provided
+
+## Workflow Triggers Supported
+
+- Interactive @claude mentions (case-insensitive) in:
+  - Issue comments
+  - Pull request review comments  
+  - Pull request reviews
+  - Issue titles/bodies
+  - Pull request titles/bodies
+- Automatic pull request reviews (when no @claude mention is present)
+
+## Default Configuration
+
+- **Timeout**: 15 minutes
+- **Runner**: ubuntu-latest  
+- **Default Tools**: `git status` and `git diff`
+- **Concurrency**: Prevents multiple Claude jobs per PR/issue
diff --git a/CLAUDE_WORKFLOW_MIGRATION.md b/CLAUDE_WORKFLOW_MIGRATION.md
@@ -0,0 +1,96 @@
+# Claude Workflow Migration Guide
+
+> **Note:** For main usage instructions and up-to-date examples, see [README.md](./README.md).
+
+## Overview
+This document outlines the migration of Claude AI workflows to the centralized `dotCMS/claude-workflows` repository to implement DRY principles and enable reuse across multiple repositories.
+
+## Files Created for claude-workflows Repository
+
+The following files should exist in the `dotCMS/claude-workflows` repository:
+
+### 1. `.github/workflows/claude-executor.yml`
+Location: `claude-executor-reusable.yml` (rename to `claude-executor.yml`)
+- Reusable workflow that handles Claude AI execution
+- Configurable allowed tools, timeout, and runner
+- Accepts trigger mode and direct prompt inputs
+
+### 2. `.github/workflows/claude-orchestrator.yml`  
+Location: `claude-orchestrator-reusable.yml` (rename to `claude-orchestrator.yml`)
+- Reusable workflow that orchestrates Claude interactions
+- Handles all trigger events (comments, PRs, issues)
+- Configurable prompts, tools, and executor workflow reference
+
+## Migration Benefits
+
+### Before (Current State)
+- Each repository maintains its own Claude workflow files
+- Duplication of logic across repositories
+- Updates require changes in multiple places
+- Inconsistent configurations between repositories
+
+### After (Centralized State)
+- Single source of truth for Claude workflows
+- Repository-specific configurations via parameters
+- Easier maintenance and updates
+- Consistent behavior across all repositories
+- DRY principle implementation
+
+## Implementation Steps
+
+### Step 1: Ensure Files Exist in claude-workflows Repository
+
+> **Historical Note:** This step is already completed in this repository. The required workflows are present and correctly named. For forks or future migrations, ensure the following files exist in the correct locations:
+> - `.github/workflows/claude-executor.yml`
+> - `.github/workflows/claude-orchestrator.yml`
+
+### Step 2: Repository Configuration
+The infrastructure-as-code repository has been updated to:
+- Reference centralized workflows from `dotCMS/claude-workflows`
+- Maintain infrastructure-specific configurations:
+  - Terraform/Terragrunt allowed tools
+  - Cost-aware automatic review prompts
+  - Customer path exclusions
+
+### Step 3: Validation
+After setup, test the workflows by:
+1. Creating a test PR
+2. Verifying automatic reviews work
+3. Testing @claude mentions in comments
+4. Confirming path exclusions still apply
+
+## Key Features Preserved
+
+### Infrastructure-Specific Configurations
+- **Allowed Tools**: Terraform, Terragrunt, and Git commands
+- **Automatic Review Prompt**: Includes cost impact analysis
+- **Path Exclusions**: Customer-specific Kubernetes files ignored
+- **Timeout**: 15-minute execution limit
+- **Runner**: Ubuntu-latest
+
+### Workflow Triggers
+- Interactive @claude mentions (case-insensitive)
+- Automatic PR reviews (when no @claude mention)
+- Issue comments and reviews
+- Pull request events
+
+### Concurrency Control
+- Prevents multiple Claude jobs per PR/issue
+- Maintains existing behavior
+
+## Next Steps
+
+1. **Ensure reusable workflows exist** in claude-workflows repository (already done here)
+2. **Test the migration** with a sample PR
+3. **Apply to other repositories** using the same pattern
+4. **Document usage** for other teams
+
+## Benefits for Other Repositories
+
+Other dotCMS repositories can now easily add Claude support by:
+1. Creating a simple orchestrator workflow that calls the centralized version
+2. Customizing allowed tools for their specific needs
+3. Setting repository-specific prompts and configurations
+4. Maintaining consistent Claude behavior across the organization
+
+This migration addresses issue [dotCMS/dotcat#213](https://github.com/dotCMS/dotcat/issues/213) and establishes the foundation for organization-wide Claude workflow standardization.
diff --git a/README.md b/README.md
@@ -1,18 +1,66 @@
 # claude-workflows
 Reusable Claude AI GitHub Actions workflows and config for dotCMS and related projects
 
+## 🚀 Centralized Claude Workflows: Migration & Overview
+
+**This repository now provides a centralized, reusable system for all Claude AI GitHub Actions workflows.**
+
+- **Replaces the pilot workflow previously used in `dotcms/infrastructure-as-code`.**
+- **Keeps things DRY and maintainable** by consolidating logic into orchestrator and executor workflows.
+- **Still allows full repo-level customization** via workflow inputs (prompts, allowed tools, runners, etc.).
+
+---
+
+## Migration Guide: From Pilot to Centralized Workflows
+
+If you previously used the pilot Claude workflow in `dotcms/infrastructure-as-code`, follow these steps:
+
+1. **Remove references to the old pilot workflow** in your repository's workflow files.
+2. **Update your workflow to use the new orchestrator:**
+
+   ```yaml
+   jobs:
+     claude:
+       uses: dotCMS/claude-workflows/.github/workflows/claude-orchestrator.yml@main
+       with:
+         # Customize as needed for your repo
+         allowed_tools: |
+           Bash(terraform plan)
+           Bash(git status)
+         automatic_review_prompt: |
+           Please review this pull request for code quality, security, and best practices.
+       secrets:
+         ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+   ```
+3. **Configure your `ANTHROPIC_API_KEY` secret** as described below.
+4. **(Optional) Customize prompts, allowed tools, and runner as needed.**
+
+---
+
+## 📚 Migration Details
+
+For a comprehensive migration guide—including step-by-step instructions, validation tips, and infrastructure-specific configuration examples—see [CLAUDE_WORKFLOW_MIGRATION.md](./CLAUDE_WORKFLOW_MIGRATION.md).
+
+---
+
+## Top-Level Points
+
+- **Centralized, DRY, and maintainable:** All Claude logic is now in one place, making updates and improvements easy.
+- **Repo-level flexibility:** Each repository can override prompts, tools, and other settings via workflow inputs.
+- **Security & cost management:** Each repo must provide its own Anthropic API key for isolation and accountability.
+- **No more standalone code review workflow:** All code review and other Claude actions are routed through the orchestrator/executor pattern.
+
+---
+
 ## Important: Security and Cost Management
 
 **⚠️ API Key Requirement**: All workflows in this repository require each consuming repository to provide its own Anthropic API key. This is a mandatory security and cost management requirement.
 
 **Why we require per-repository API keys:**
 
 1. **Cost Tracking & Accountability**: Each repository's Claude AI usage is tracked separately in the Anthropic console, allowing for detailed cost attribution and budget management per project.
-
 2. **Security Isolation**: If a repository experiences unauthorized or excessive usage, it only affects that repository's API key and budget, not a shared organizational key.
-
 3. **Usage Control**: Individual repositories can set their own API limits and monitoring, preventing runaway costs from affecting other projects.
-
 4. **Compliance**: Many organizations require API key isolation for audit trails and security compliance.
 
 **What this means for you:**
@@ -21,17 +69,17 @@ Reusable Claude AI GitHub Actions workflows and config for dotCMS and related pr
 - The workflow will **fail** if the API key is not provided
 - Each repository is responsible for its own API costs and usage
 
+---
+
 ## Available Workflows
 
-### Claude Code Review (`claude-code-review.yml`)
-Provides AI-powered code review using Claude AI for pull requests and commits.
+### Claude Orchestrator (`claude-orchestrator.yml`)
+Routes all Claude triggers (PRs, issues, comments, reviews) to the correct execution mode and calls the executor workflow.
+
+### Claude Executor (`claude-executor.yml`)
+Handles the actual execution of Claude actions, with configurable parameters (prompts, allowed tools, runner, etc.).
 
-**Features:**
-- Reviews changed files in PRs automatically
-- Configurable review focus (general, security, performance, best-practices)
-- Posts review comments directly on PRs
-- Supports custom file selection
-- Uploads review artifacts
+---
 
 ## Setup Instructions
 
@@ -42,14 +90,9 @@ Each consuming repository must configure its own Anthropic API key:
 2. Create a new repository secret named `ANTHROPIC_API_KEY`
 3. Set the value to your Anthropic API key
 
-**Benefits of per-repository API keys:**
-- **Cost Tracking**: Each repository's usage is tracked separately in the Anthropic console
-- **Security Isolation**: Unauthorized usage in one repo won't affect others
-- **Usage Control**: Individual repos can manage their own API limits
-
-### 2. Using the Claude Code Review Workflow
+### 2. Using the Centralized Claude Workflow
 
-Create a workflow file in your repository at `.github/workflows/claude-review.yml`:
+Create a workflow file in your repository at `.github/workflows/claude-review.yml` (or similar):
 
 ```yaml
 name: PR Code Review with Claude
@@ -60,18 +103,16 @@ on:
     branches: [ main, develop ]
 
 jobs:
-  claude-review:
-    name: Claude AI Code Review
-    uses: dotCMS/claude-workflows/.github/workflows/claude-code-review.yml@main
+  claude:
+    uses: dotCMS/claude-workflows/.github/workflows/claude-orchestrator.yml@main
     with:
-      # Optional: Set review focus
-      review_focus: 'security'  # Options: general, security, performance, best-practices
-      
-      # Optional: Maximum number of files to review
-      max_files: 15
-      
-      # Optional: Specify specific files (defaults to all changed files)
-      # files_to_review: 'src/main.js,src/utils.js'
+      # Optional: Customize allowed tools
+      allowed_tools: |
+        Bash(terraform plan)
+        Bash(git status)
+      # Optional: Customize review prompt
+      automatic_review_prompt: |
+        Please review this pull request for code quality, security, and best practices.
     secrets:
       ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
 ```
@@ -80,23 +121,12 @@ jobs:
 
 | Input | Description | Required | Default |
 |-------|-------------|----------|---------|
-| `files_to_review` | Comma-separated list of specific files to review | No | All changed files |
-| `review_focus` | Review focus area | No | `general` |
-| `max_files` | Maximum number of files to review | No | `10` |
-
-**Review Focus Options:**
-- `general`: Overall code quality, bugs, and improvements
-- `security`: Security vulnerabilities and best practices
-- `performance`: Performance issues and optimizations
-- `best-practices`: Code quality and maintainability
-
-### 4. Required Secrets
-
-| Secret | Description | Required | Notes |
-|--------|-------------|----------|-------|
-| `ANTHROPIC_API_KEY` | Your repository's Anthropic API key | **Yes** | Must be configured in each consuming repository. The workflow will fail without this secret. |
+| `automatic_review_prompt` | Custom prompt for automatic PR reviews | No | See orchestrator default |
+| `allowed_tools` | Custom allowed tools configuration | No | See orchestrator default |
+| `timeout_minutes` | Timeout for Claude execution | No | 15 |
+| `runner` | GitHub runner to use | No | ubuntu-latest |
 
-**⚠️ Critical**: The `ANTHROPIC_API_KEY` secret is mandatory and must be passed to the reusable workflow. This is not optional - it's a security and cost management requirement. See the "Security and Cost Management" section above for details.
+---
 
 ## Examples
 
